b'OFFICE OF INSPECTOR GENERAL\n                   Audit Report\n Fiscal Year 2012 Audit of Information Security\n        at the Railroad Retirement Board\n\n\n\n      This abstract summarizes the results of the subject audit. The\n      full report includes information protected from disclosure and\n      has been designated for limited distribution pursuant to\n      5 U.S.C. \xc2\xa7 552\n\n\n\n\n                     Report No. 13-04\n                     February 12, 2013\n\n\n\n\n RAILROAD RETIREMENT BOARD\n\x0c                                 REPORT ABSTRACT\n                   Fiscal Year 2012 Audit of Information Security\n                          at the Railroad Retirement Board\n\nThe Office of Inspector General for the Railroad Retirement Board (RRB) conducted an\naudit of information security at the RRB for fiscal year (FY) 2012, which is mandated by\nthe Federal Information Security Management Act of 2002 (FISMA). The objectives of\nour audit included testing the effectiveness of the information security policies,\nprocedures, and practices of a representative subset of the agency\xe2\x80\x99s information\nsystems; and preparing a report on selected elements of the agency\xe2\x80\x99s information\nsecurity program in compliance with the Department of Homeland Security\xe2\x80\x99s FY 2012\nFISMA reporting instructions.\n\nOur audit determined that the RRB continues to make progress in implementing an\ninformation security program that meets the requirements of FISMA; yet a fully effective\nsecurity program has not been achieved. The significant deficiencies in the internal\ncontrol structure over the review of the agency\xe2\x80\x99s contractor deliverables, associated with\nthe risk management framework, and the security configuration management program\nremain unresolved. We also noted some lesser deficiencies in the RRB\xe2\x80\x99s security\nprogram. In total, we made 19 detailed recommendations to RRB management related\nto:\n\n   \xe2\x80\xa2   Ensuring compliance with recommended system configuration requirements,\n       including documenting all necessary deviations and adherence to change control\n       procedures for maintaining testing and approval documentation.\n   \xe2\x80\xa2   Strengthening Identity and Access Management by revising procedures to allow\n       for the extension of equipment and account privileges based only on written\n       documentation, and the retention of that documentation.\n   \xe2\x80\xa2   Revising procedures relating to Incident Response and Reporting in order to\n       reduce delays in reporting potential personally identifiable information breaches.\n   \xe2\x80\xa2   Improving remediation of security weaknesses by developing time standards and\n       controls for entering weaknesses and ensuring all data fields are completed in\n       the agency-wide Plan of Action and Milestones, as well as providing access and\n       training to new users.\n   \xe2\x80\xa2   Participation of all system owners in disaster recovery testing, comprehensive\n       updates to the Business Impact Analysis and Business Continuity Plan\n       documents, and the development of system specific contingency plans which\n       show the test coverage and frequency.\n   \xe2\x80\xa2   Updating appropriate processes and procedures for security awareness training\n       required for RRB employees and contractors.\n\nAgency Management has agreed to take corrective actions for all recommendations.\n\x0c'